Creating a Point-to-Site VPN on Azure

To understand deeper what are the options you have to connect your organization with Azure, I recommend read this older post. On this post, I want to share what do you need to configure so you can implement a Point-to-Site (P2S) VPN between your organization individual PC and your Azure environment.

This is the typical process for creating and configuring a virtual network with point-to-site connectivity:

Create the root and client certificates. Certificates facilitate authentication of the VPN tunnel. To create a root self-signed certificate, you can use the makecert.exe command-line tool to run the following command:makecert -sky exchange -r -n “CN=RootCertificateName” -pe -a sha1 -len 2048 -ss My “RootCertificateName.cer”

Next, you need to generate client certificates. If you created a self-signed root certificate, you could use the same makecert.exe command-line tool with the following parameters:makecert.exe -n “CN=ClientCertificateName” -pe -sky exchange -m 96 -ss My -in “RootCertificateName” -is my -a sha1This command creates a client certificate and stores it in your user account’s personal certificate store on the local computer. You can create as many client certificates as needed by using this same command with different values of the –n parameter. I recommend that you create unique client certificates for each VPN client. This allows you to revoke these certificates on a per user basis. After you create the client certificates, export them in the Personal Exchange File (.pfx) format and import them into the Personal certificate store on the user’s computers for each user that will be using the point-to-site VPN.

Create a dynamic routing gateway. A gateway is a mandatory component for a point-to-site VPN connection. You will need to create a corresponding subnet named GatewaySubnet hosting the gateway as well as define a VPN client IP address pool. You will also need to request a dynamically allocated public IP address. Provisioning a new point-to-site VPN gateway takes usually takes up to 15 minutes.

Download and install the VPN client software. After you configure a dynamic gateway and certificates, you will see a link to download a VPN client for a supported operating system. Download the appropriate VPN client (32-bit or 64-bit), and install it on client computers that will be initiating a VPN connection. These are the same computers onto which you installed the client certificates in the first step.

Note: At this present time, the Azure portal does not support creation of a point-to-site virtual network.

Creating a point-to-site connection

The following procedure describes how to create a virtual network and configure a point-to-site virtual network connection by using Azure PowerShell commands.

Configure Azure prerequisites for a point-to site connection

To configure Azure prerequisites for a point-to-point site connection:

Start Azure PowerShell and sign in to your subscription, type the following command, and then press Enter:Login-AzureRMAccount

If there are multiple subscriptions associated with your account, select the target subscription in which you are going to create a virtual network, and configure a point-to-site VPN, type the following command, and then press Enter:Select-AzureRmSubscription –SubscriptionId <SUBSCRIPTION_ID>

Create a new resource group, type the following command, and then press Enter:New-AzureRMResourceGroup –Name P2S-RG –Location westus

Add a front-end subnet to the new virtual network, type the following command, and then press Enter:Add-AzureRmVirtualNetworkSubnetConfig -Name FrontEnd -VirtualNetwork $vnet -AddressPrefix 10.11.0.0/16

Add a gateway subnet to the new virtual network, type the following command, and then press Enter:Add-AzureRmVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet -AddressPrefix 10.15.255.0/26

Set a variable for the gateway virtual network subnet for which you will request a public IP address, type the following command, and then press Enter:$subnet= Get-AzureRMVirtualNetworkSubnetConfig –Name “GatewaySubnet” –virtualnetwork $vnet

Provide IP configuration that is required for the VPN gateway, type the following command, and then press Enter:$ipconfig= New-AzureRmVirtualNetworkGatewayIPConfig –Name GWIPConfig –Subnet $subnet –PublicIPAddress $pip

Update the configuration of the virtual network, type the following command, and then press Enter:Set-AzureRMVirtualNetwork –VirtualNetwork $vnet

Create root and client certificates

You need to provision certificates to authenticate clients as they connect to the VPN gateway and to encrypt the resulting connection. You must generate a self-signed root certificate, upload it to the Azure portal, reference it to generate a client certificate, and then install the client certificate on your computer. To complete these tasks, use the following steps:

For computers running Windows 10 you need to install the Windows 10 SDK, and then open the command prompt in the location where the makecert.exe tool is installed. On computers running the 64-bit version of Windows 10, the default installation location is the platform specific subfolder under the C:\Program Files (x86)\Windows Kits\10\bin folder. On computers running the 32-bit version of Windows 10, the default installation location is the platform specific subfolder under C:\Program Files\Windows Kits\10\bin.

In the location where you run the makecert tool, export the ContosoRootCertificate from the Personal certificate store into a Base-64 encoded string, and then store it in the variable $rootCert.$rootCer = Get-ChildItem -Path ‘Cert:\CurrentUser\My’ | Where-Object {$_.Subject -eq ‘CN=ContosoRootCertificate’}$rootCertText = [System.Convert]::ToBase64String($rootCer.RawData)$rootCert = New-AzureRmVpnClientRootCertificate –Name ContosoRootCert –PublicCertData [string]$rootCertText

To prepare the root certificate for use as the Azure virtual network VPN root certificate, type the following command from the Windows PowerShell prompt, and then press Enter:$rootCert = New-AzureRmVpnClientRootCertificate –name ContosoRootCert –PublicCertData $rootCertString

Create an Azure VPN gateway

Point-to-site connections require a virtual gateway in the virtual network that routes traffic to client on-premises computers. You also need to prepare an IP address pool that you need to allocate to the client that uses the point-to-site VPN connection. In the command that follows, you use the “192.168.0.0/24” IP address range. To create the virtual gateway, type the following command, and then press Enter:

With more than 18 years experience in Datacenter Architectures, Marcos Nogueira is currently working as a Principal Cloud Solution Architect. He is an expert in Private and Hybrid Cloud, with a focus on Microsoft Azure, Virtualization and System Center. He has worked in several industries, including Aerospace, Transportation, Energy, Manufacturing, Financial Services, Government, Health Care, Telecoms, IT Services, and Gas & Oil in different countries and continents.

Marcos was a Canadian MVP in System Center Cloud & Datacenter Managenment and he has +14 years as Microsoft Certified, with more than 100+ certifications (MCT, MCSE, and MCITP, among others). Marcos is also certified in VMware, CompTIA and ITIL v3. He assisted Microsoft in the development of workshops and special events on Private & Hybrid Cloud, Azure, System Center, Windows Server, Hyper-V and as a speaker at several Microsoft TechEd/Ignite and communities events around the world.

Like this:

Related

With more than 18 years experience in Datacenter Architectures, Marcos Nogueira is currently working as a Principal Cloud Solution Architect. He is an expert in Private and Hybrid Cloud, with a focus on Microsoft Azure, Virtualization and System Center. He has worked in several industries, including Aerospace, Transportation, Energy, Manufacturing, Financial Services, Government, Health Care, Telecoms, IT Services, and Gas & Oil in different countries and continents.
Marcos was a Canadian MVP in System Center Cloud & Datacenter Managenment and he has +14 years as Microsoft Certified, with more than 100+ certifications (MCT, MCSE, and MCITP, among others). Marcos is also certified in VMware, CompTIA and ITIL v3. He assisted Microsoft in the development of workshops and special events on Private & Hybrid Cloud, Azure, System Center, Windows Server, Hyper-V and as a speaker at several Microsoft TechEd/Ignite and communities events around the world.